As if the daily beating of data breach news wasn’t enough reason to bring the stark reality of cyber risks to the attention of corporate leaders, here comes the European Union’s General Data Protection Regulation (GDPR). Taking effect in May 2018, GDPR is elevating cyber risks to the top of the corporate agenda for organisations that store data about citizens of the European Union.
According to a survey of more than 1,300 senior executives, conducted by insurance and risk management firm Marsh, 65 percent of respondents from organisations that operate in the EU say that they consider “cyber” to be a top risk. That’s a doubling from a similar survey conducted last year that found 32 percent citing “cyber” as a top five risk. Further, the survey showed that 23 percent of those organisations that fall under GDPR have endured a successful cyberattack in the past year.
The heightened cybersecurity concerns and looming GDPR deadline have EU organisations increasing their security and risk management spending. “Of those respondents whose organisations have plans for GDPR implementation, 78 percent said they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance. Notably, 52 percent of those who do not have a plan for GDPR indicated that their investment in cyber risk management would increase,” Marsh writes in this news release.
Surprisingly, with about seven months left, only 8 percent of survey respondents claim that their organisations are currently GDPR compliant and a startling 57 percent say that their enterprises are currently developing compliance plans. And another 11 percent of respondents are in for a very rude awakening, as they’ve reported that they have no compliance plans at all. “Smaller organisations were more likely not to have a plan for GDPR with 19 percent of respondents from businesses with less than $50 million annual revenue replying that no plan was in place,” Marsh wrote.
For those not familiar, GDPR requires that:
- EU citizens’ personally identifiable information (PII) must be adequately protected, managed, and controlled.
- Data breaches must be reported within 72 hours.
- Non-compliant organisations risk significant fines, from 4 percent of annual revenue to €20 million.
According to the survey, 49 percent of the companies have fully developed a data breach incident response plan. Another 10 percent, however, have no plans to do so. It’s shocking that any organisation today wouldn’t have an incident response plan should sensitive data be exposed.
It is not pragmatic for an organisation to assume it will never have to disclose a breach as required by GDPR – that’s just plain hope. It’s much more sensible to expect to be breached at some point and consider how to make a public disclosure. Because when it comes down to it, the difference between the winners and losers will be how well the breach is mitigated and managed and the effectiveness of the public response.